IETF Logo Mail Archive

Re: [TLS] Two Multi-CDN proposals

Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 28 February 2019 01:24 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57AE01277D2 for <tls@ietfa.amsl.com>; Wed, 27 Feb 2019 17:24:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zw2iORywDeYA for <tls@ietfa.amsl.com>; Wed, 27 Feb 2019 17:24:21 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2628130EB3 for <tls@ietf.org>; Wed, 27 Feb 2019 17:24:20 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 929CABE2E; Thu, 28 Feb 2019 01:24:17 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yt6eDVjNLRzj; Thu, 28 Feb 2019 01:24:15 +0000 (GMT)
Received: from [10.244.2.138] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 99BD7BE24; Thu, 28 Feb 2019 01:24:15 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1551317055; bh=ciJTFBL1xDYz1BcUBapQboJwkGEvr37Z3MDh+0mvwsE=; h=To:References:From:Subject:Date:In-Reply-To:From; b=w2A7Y+npINJysps0IetOr4I9kxEpUktZ+XGnxXK+d4MsdKxf7IrPFO4nOYs1yD9oG Y9iaM6pida7ptEgRTDN1gVrC6U3JRrm9xsVWF54xczx5kcMBzkgxro8Fwh1piPJHku rDQSyYoCS/mUwiZYB1NtBVgZce4W+gbnVz34HZSg=
To: Christopher Wood <christopherwood07@gmail.com>, "<tls@ietf.org>" <tls@ietf.org>
References: <CAO8oSX=sPoLo78oX4qEEyeuck7CxM_uAqYPHEsY7BuYqBUaorg@mail.gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=5BB5A6EA5765D2C5863CAE275AB2FAF17B172BEA; url=
Autocrypt: addr=stephen.farrell@cs.tcd.ie; prefer-encrypt=mutual; keydata= mQINBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nemCP5PMvmh 5Cg8gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kTq0IqYzsEv5HI58S+ QtaFq978CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtEgvw4fVhVWJuyy3w//0F2tzKr EMjmL5VGuD/Q9+G/7abuXiYNNd9ZFjv4625AUWwy+pAh4EKzS1FE7BOZp9daMu9MUQmDqtZU bUv0Q+DnQAB/4tNncejJPz0p2z3MWCp5iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqO Vz+7L+WiVfxLbeVqBwV+4uL9to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJg b097ZaNyuY1ETghVB5Uir1GCYChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k 4LyM2lp5FmBKjG7cGcpBGmWavACYEa7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK 7uB7E7HlVE1IM1zNkVTYYGkKreU8DVQu8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9tlyWxn5Xi HzFPJleXc0ksb9SkJokAfwTSZzTxeQPER8la5lsEEPbU/cDTcwARAQABtDJTdGVwaGVuIEZh cnJlbGwgKDIwMTcpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPokCQAQTAQgAKgIbAwUJ CZQmAAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCWj6jdwIZAQAKCRBasvrxexcr6o7QD/9m x9DPJetmW794RXmNTrbTJ44zc/tJbcLdRBh0KBn9OW/EaAqjDmgNJeCMyJTKr1ywaps8HGUN hLEVkc14NUpgi4/Zkrbi3DmTp25OHj6wXBS5qVMyVynTMEIjOfeFFyxG+48od+Xn7qg6LT7G rHeNf+z/r0v9+8eZ1Ip63kshQDGhhpmRMKu4Ws9ZvTW2ACXkkTFaSGYJj3yIP4R6IgwBYGMz DXFX6nS4LA1s3pcPNxOgrvCyb60AiJZTLcOk/rRrpZtXB1XQc23ZZmrlTkl2HaThL6w3YKdi Ti1NbuMeOxZqtXcUshII45sANm4HuWNTiRh93Bn5bN6ddjgsaXEZBKUBuUaPBl7gQiQJcAlS 3MmGgVS4ZoX8+VaPGpXdQVFyBMRFlOKOC5XJESt7wY0RE2C8PFm+5eywSO/P1fkl9whkMgml 3OEuIQiP2ehRt/HVLMHkoM9CPQ7t6UwdrXrvX+vBZykav8x9U9M6KTgfsXytxUl6Vx5lPMLi 2/Jrsz6Mzh/IVZa3xjhq1OLFSI/tT2ji4FkJDQbO+yYUDhcuqfakDmtWLMxecZsY6O58A/95 8Qni6Xeq+Nh7zJ7wNcQOMoDGj+24di2TX1cKLzdDMWFaWzlNP5dB5VMwS9Wqj1Z6TzKjGjru q8soqohwb2CK9B3wzFg0Bs1iBI+2RuFnxLkCDQRaPVAyARAA+g3R0HzGr/Dl34Y07XqGqzq5 SU0nXIu9u8Ynsxj7gR5qb3HgUWYEWrHW2jHOByXnvkffucf5yzwrsvw8Q8iI8CFHiTYHPpey 4yPVn6R0w/FOMcY70eTIu/k6EEFDlDbs09DtKcrsT9bmN0XoRxITlXwWTufYqUnmS+YkAuk+ TLCtUin7OdaS2uU6Ata3PLQSeM2ZsUQMmYmHPwB9rmf+q2I005AJ9Q1SPQ2KNg/8xOGxo13S VuaSqYRQdpV93RuCOzg4vuXtR+gP0KQrus/P2ZCEPvU9cXF/2MIhXgOz207lv3iE2zGyNXld /n8spvWk+0bH5Zqd9Wcba/rGcBhmX9NKKDARZqjkv/zVEP1X97w1HsNYeUFNcg2lk9zQKb4v l1jx/Uz8ukzH2QNhU4R39dbF/4AwWuSVkGW6bTxHJqGs6YimbfdQqxTzmqFwz3JP0OtXX5q/ 6D4pHwcmJwEiDNzsBLl6skPSQ0Xyq3pua/qAP8MVm+YxCxJQITqZ8qjDLzoe7s9X6FLLC/DA L9kxl5saVSfDbuI3usH/emdtn0NA9/M7nfgih92zD92sl1yQXHT6BDa8xW1j+RU4P+E0wyd7 zgB2UeYgrp2IIcfG+xX2uFG5MJQ/nYfBoiALb0+dQHNHDtFnNGY3Oe8z1M9c5aDG3/s29QbJ +w7hEKKo9YMAEQEAAYkCJQQYAQgADwUCWj1QMgIbDAUJCZQmAAAKCRBasvrxexcr6qwvD/9b Rek3kfN8Q+jGrKl8qwY8HC5s4mhdDJZI/JP2FImf5J2+d5/e8UJ4fcsT79E0/FqX3Z9wZr6h sofPqLh1/YzDsYkZDHTYSGrlWGP/I5kXwUmFnBZHzM3WGrL3S7ZmCYMdudhykxXXjq7M6Do1 oxM8JofrXGtwBTLv5wfvvygJouVCVe87Ge7mCeY5vey1eUi4zSSF1zPpR6gg64w2g4TXM5qt SwkZVOv1g475LsGlYWRuJV8TA67yp1zJI7HkNqCo8KyHX0DPOh9c+Sd9ZX4aqKfqH9HIpnCL AYEgj7vofeix7gM3kQQmwynqq32bQGQBrKJEYp2vfeO30VsVx4dzuuiC5lyjUccVmw5D72J0 FlGrfEm0kw6D1qwyBg0SAMqamKN6XDdjhNAtXIaoA2UMZK/vZGGUKbqTgDdk0fnzOyb2zvXK CiPFKqIPAqKaDHg0JHdGI3KpQdRNLLzgx083EqEc6IAwWA6jSz+6lZDV6XDgF0lYqAYIkg3+ 6OUXUv6plMlwSHquiOc/MQXHfgUP5//Ra5JuiuyCj954FD+MBKIj8eWROfnzyEnBplVHGSDI ZLzL3pvV14dcsoajdeIH45i8DxnVm64BvEFHtLNlnliMrLOrk4shfmWyUqNlzilXN2BTFVFH 4MrnagFdcFnWYp1JPh96ZKjiqBwMv/H0kw==
Message-ID: <0b19d021-8101-23ee-2899-450d103a8906@cs.tcd.ie>
Date: Thu, 28 Feb 2019 01:24:14 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1
MIME-Version: 1.0
In-Reply-To: <CAO8oSX=sPoLo78oX4qEEyeuck7CxM_uAqYPHEsY7BuYqBUaorg@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="uleOLZzm10i7qUvJPnxxp9f7MrRFWXsE1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/NSQLZ-hIkxrjFZ6dxutxS9qX5Qs>
Subject: Re: [TLS] Two Multi-CDN proposals
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Feb 2019 01:24:24 -0000

Hiya,

First, I think both are wrong:-)

If there are really different ESNI private value holders,
then each of those should provide separate ESNIKeys RR value
instances and the set of all of those should be in the RRset
returned when the ESNIKeys are queried.

Requiring different private value holders to find some
entity to wrap up all their crap into one single TLS blob
is not, IMO, a good design.

That said, we can fix that later I guess, even though we
will have to fix it sometime. (Fixing it now would be better!)
So I regard these ESNIKeys syntax decisions as only holding
temporarily.

On 27/02/2019 16:18, Christopher Wood wrote:
> Hi folks,
> 
> Below are two PRs that seek to address the multi-CDN issue discussed
> on this list and in meetings:
> 
>    1. https://github.com/tlswg/draft-ietf-tls-esni/pull/136
>    2. https://github.com/tlswg/draft-ietf-tls-esni/pull/137

I'm not sure of the details of #137 but I think I prefer
that one a bit. I suspect either of them will be a pain to
code given how we'll be mixing names and addresses.

#136 seems broken to me in that it gives the new AddressSet
invention priority over A/AAAA resolution. I think that'd
need much more justification as it essentially calls for
duplicating A/AAAA information over two administrative
domains which seems like a recipe for failure.

If #137 is adding mandatory extensions that are analogous
to X.509 extension criticality, then I think that's an
error. Despite good arguments, that has not worked out well
and this seems like the same mistake. (But as stated above,
I think all syntax here is temporary until we've made it
DNS admin friendly which it is not.)

My reason for preferring #137 is that (if I'm reading it
right, and I'm not sure!), it resolves a CNAME and then
compares the resulting A/AAAA acquired via normal CNAME
chasing to a mask from the ESNIKeys stuff. I think that
is a better approach than replicating A/AAAA values inside
a novel repetitive structure like ESNIKeys.

Lastly, we will need to fix the TLS-developer-friendly
but DNS-admin-unfriendly ESNIKeys structure, so why not
do that now too, as we're modifying it? IMO the way to do
that is for each ESNI private value holder's stuff to be
a separate RR value in the RRset (and so each is likely a
separate stanza in a zone file). I also think if we did
that we'd be able to simplify the ESNIKeys structure a
good bit all of which should lead to more robust and
simpler code. My current code for handling ESNIKeys is
very complex and long even though I've ignored the supposed
ways in which things can be extended - were I to have to
add real extension handling, it'd be even worse. Changing
to >1 RR value in the answer could make all this an awful
lot simpler and much better match the multi-CDN (or more
properly multi-private-value) scenarios.

So in summary:

- both are wrong:-)
- if I had to pick one to proceed with temporarily,
  I'd go with #137 despite it being unclear
- I'd rather we fix the ESNIKeys to be DNS friendly
  now too and not wait to have to inevitably fight
  that battle later (but fight I will:-)

Cheers,
S.

> 
> #136 implements the combined or stapled record approach discussed
> several times, most recently in [1]. It includes these via an ESNIKeys
> extension. #137 builds on this design with a mechanism that lets
> clients detect and recover from A/AAAA and ESNI mismatch (if desired).
> It is certainly more complex in several respects. A third variant,
> which is not (yet) in PR form, is a simplification of #137 wherein
> ESNIKeys addresses are only used as filters, instead of filters *or*
> complete addresses.
> 
> We are asking for feedback on these PRs, as we would like to merge one
> of them for the next draft version. As #136 is simpler and permits
> extensibility, that is the current preference.
> 
> Thanks in advance for your feedback.
> 
> Best,
> Chris (no hat, on behalf of the authors)
> 
> [1] https://mailarchive.ietf.org/arch/msg/tls/WXrPgaIsIPItDw3IQthmJk9VRlw
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email